Allow developers to enable auto-login for their frontend (#414)

With this change, the `setAutoLoginCredentials()` function gets exposed as a public API. While it should be used with extreme care (since using it means hard-coding the NATS credentials into the built frontends), this enables developers to enable auto-login in their Telestion based frontends by calling: ```ts setAutoLoginCredentials({ natsUrl: 'ws://localhost:9222', username: 'nats', password: 'nats' }); ``` While there are, obviously, security risks associated with this, some use-cases require such functionality which is why it gets exposed as an official API to at least make it as secure as possible by tightly integrating it into the core framework. To make developers aware of the security implications, they are described in the documentation and the function is marked as `@deprecated` for extra attention.
wuespace · Jan 17, 2024 · 5159584 · 5159584
2 parents d26f1e7 + dce62c6
commit 5159584
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 3 deletions.
diff --git a/frontend-react/src/app/index.tsx b/frontend-react/src/app/index.tsx
@@ -1,6 +1,7 @@
 import { initTelestion, registerWidgets, UserData } from '@wuespace/telestion';
 import { simpleWidget } from './widgets/simple-widget';
 import { errorWidget } from './widgets/error-widget';
+import { setAutoLoginCredentials } from '../lib/auth';
 
 const defaultUserData: UserData = {
 	version: '0.0.1',
@@ -29,6 +30,12 @@ const defaultUserData: UserData = {
 
 registerWidgets(simpleWidget, errorWidget);
 
+setAutoLoginCredentials({
+	natsUrl: 'ws://localhost:9222',
+	username: 'nats',
+	password: 'nats'
+});
+
 await initTelestion({
 	version: '0.0.1',
 	defaultBackendUrl: 'ws://localhost:9222',

diff --git a/frontend-react/src/lib/auth/auto-login.ts b/frontend-react/src/lib/auth/auto-login.ts
@@ -4,8 +4,17 @@ import { z } from 'zod';
 const AUTO_LOGIN_KEY = 'auto-login';
 
 const autoLoginSchema = z.object({
+	/**
+	 * The URL of the NATS server to connect to.
+	 */
 	natsUrl: z.string(),
+	/**
+	 * The username to use when connecting to the NATS server.
+	 */
 	username: z.string(),
+	/**
+	 * The password to use when connecting to the NATS server.
+	 */
 	password: z.string()
 });
 
@@ -51,10 +60,19 @@ export async function attemptAutoLogin(): Promise<boolean> {
 }
 
 /**
- * @internal
- * Store auto-login credentials in sessionStorage.
+ * Sets credentials with which to auto-login.
+ *
+ * If an auto-login attempt fails, the credentials will be cleared for the remainder of the session and a login form
+ * shown to the user. If the user logs in successfully, the credentials will be updated.
+ *
+ * ### Security Warning
+ *
+ * Use this function only if user authentication is handled by a separate system. Calling this function in
+ * your application means your NATS credentials will be hard-coded into your application, which is a security risk.
  *
  * @param credentials - The credentials to store
+ * @deprecated No, this won't be removed anytime soon. You can ignore this warning if you're aware of the security
+ * implications.
  */
 export function setAutoLoginCredentials(
 	credentials: z.input<typeof autoLoginSchema>

diff --git a/frontend-react/src/lib/auth/index.ts b/frontend-react/src/lib/auth/index.ts
@@ -14,5 +14,5 @@
 export * from './model.ts';
 export * from './state.ts';
 export * from './controller.ts';
-export { attemptAutoLogin } from './auto-login.ts';
+export { attemptAutoLogin, setAutoLoginCredentials } from './auto-login.ts';
 export * from './hooks';